[Users] I don't know how to add AD users
Cristian Falcas
cristi.falcas at gmail.com
Wed Nov 21 20:58:51 UTC 2012
On Wed, Nov 21, 2012 at 10:49 PM, Itamar Heim <iheim at redhat.com> wrote:
> On 11/21/2012 09:40 PM, Cristian Falcas wrote:
>
>>
>>
>>
>> On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas
>> <cristi.falcas at gmail.com <mailto:cristi.falcas at gmail.**com<cristi.falcas at gmail.com>>>
>> wrote:
>>
>>
>>
>>
>> On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim at redhat.com
>> <mailto:iheim at redhat.com>> wrote:
>>
>> On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
>>
>>
>>
>> ----- Original Message -----
>>
>> From: "Cristian Falcas" <cristi.falcas at gmail.com
>> <mailto:cristi.falcas at gmail.**com<cristi.falcas at gmail.com>
>> >>
>> To: "Yair Zaslavsky" <yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com>>
>> Cc: users at ovirt.org <mailto:users at ovirt.org>
>>
>> Sent: Wednesday, November 21, 2012 6:40:34 AM
>> Subject: Re: [Users] I don't know how to add AD users
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky <
>> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>>
>>
>> wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> From: "Cristian Falcas" < cristi.falcas at gmail.com
>> <mailto:cristi.falcas at gmail.**com<cristi.falcas at gmail.com>>
>> >
>> To: "Itamar Heim" < iheim at redhat.com
>> <mailto:iheim at redhat.com> >
>> Cc: "Yair Zaslavsky" < yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com> >, users at ovirt.org
>> <mailto:users at ovirt.org>
>>
>> Sent: Tuesday, November 20, 2012 7:33:39 PM
>>
>> Subject: Re: [Users] I don't know how to add AD users
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <
>> iheim at redhat.com <mailto:iheim at redhat.com> >
>>
>> wrote:
>>
>>
>>
>> On 11/20/2012 03:00 PM, Cristian Falcas wrote:
>>
>>
>> Hi,
>>
>> So there is no way to use the domain I have at work,
>> right?
>>
>> I will need to make a freeipa installation in order to
>> add new users.
>>
>> there is no reason this shouldn't work with active
>> directory 2003
>> (assuming its forest level isn't still in AD 2000
>> compatibility
>> mode?).
>> tcpdump for the traffic during engine-manage-domains
>> should help
>> diagnosing why.
>>
>>
>>
>>
>>
>> Cristian
>>
>>
>> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
>>
>> < cristi.falcas at gmail.com
>> <mailto:cristi.falcas at gmail.**com<cristi.falcas at gmail.com>>
>> <mailto:
>>
>> cristi.falcas at gmail. com >> wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <
>> iheim at redhat.com <mailto:iheim at redhat.com>
>>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>
>> wrote:
>>
>> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
>> < yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto: yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> >
>>
>>
>> <mailto: yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com> <mailto:
>> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com> >>>
>> wrote:
>>
>>
>>
>> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>> < yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto: yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> >
>> <mailto: yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com> <mailto:
>> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com> >>
>> <mailto: yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto: yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com> > <mailto:
>> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto: yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com> >>> > wrote:
>>
>>
>>
>> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>
>>
>>
>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
>> < iheim at redhat.com <mailto:iheim at redhat.com> <mailto:
>> iheim at redhat.com <mailto:iheim at redhat.com> >
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
>> >>>>> wrote:
>>
>> On 11/19/2012 11:29 AM, Vinzenz
>> Feenstra wrote:
>>
>> On 11/19/2012 10:01 AM, Cristian
>> Falcas wrote:
>>
>> Hi,
>>
>> I'm trying to add some users
>> to ovirt
>> using an AD.
>>
>> This is the configuration I
>> used for a
>> mediawiki
>> site, which is
>> working correctly:
>> $wgAuth = new
>> LdapAuthenticationPlugin();
>> $wgLDAPUseLocal = true;
>> $wgLDAPDomainNames = array(
>> "a_domain");
>> $wgLDAPServerNames = array(
>> "a_domain"=>" site.example.com <http://site.example.com>
>> < http://site.example.com > < http://site.example.com >
>> < http://site.example.com >
>> < http://site.example.com >
>> < http://site.example.com >");
>>
>> $wgLDAPEncryptionType = array(
>> "a_domain"=>"clear");
>> $wgLDAPSearchStrings = array(
>>
>> "a_domain"=>"rom_domain\\USER- ________NAME");
>> $wgLDAPBaseDNs = array(
>> "a_domain"=>"dc=company,dc=___ _____com");
>>
>>
>>
>>
>>
>>
>> Those are the commands I
>> tried using:
>> engine-manage-domains -action=add
>> -domain= site.example.com <http://site.example.com>
>> < http://site.example.com > < http://site.example.com >
>> < http://site.example.com >
>> < http://site.example.com >
>> < http://site.example.com >
>> -provider=ActiveDirectory
>> -user= user.name <http://user.name>
>> < http://user.name > < http://user.name >
>> < http://user.name > < http://user.name >
>> < http://user.name > -interactive
>>
>>
>> engine-manage-domains -action=add
>> -domain=a_domain
>> -provider=ActiveDirectory
>> -user= user.name at company.com <mailto:
>> user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> <mailto:
>> user.name at company.com <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >__>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >__>__>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >__>
>>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> >
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto: user.name at company.com
>> <mailto:user.name at company.com> > >__>__>__> -interactive
>>
>>
>> engine-manage-domains -action=add
>> -domain=a_domain
>> -provider=ActiveDirectory
>> -user=user.name at site.example._ _______com
>>
>>
>> <mailto: user.name at site
>> <mailto: user.name at site >.
>> <mailto: user.name at site
>> <mailto: user.name at site >.>__ exa m__p__le.com
>> <http://m__p__le.com>
>>
>> < http://examp__le.com > < http://example.com >
>> <mailto: user.name at site .
>> <mailto: user.name at site .>__ exam p__le.com
>> <http://p__le.com> < http://example.com >
>> <mailto: user.name at site. __ examp le.com <http://le.com>
>> <mailto: user.name at site. example.com
>>
>> <http://example.com> >>>>
>> <mailto: user.name at site
>> <mailto: user.name at site >
>>
>> <mailto: user.name at site <mailto: user.name at site >>.
>> <mailto: user.name at site <mailto: user.name at site >
>> <mailto: user.name at site
>> <mailto: user.name at site >>.>__ ex a__m__p__le.com
>> <http://a__m__p__le.com>
>>
>> < http://exam__p__le.com >
>>
>>
>> < http://examp__le.com > < http://example.com >
>>
>>
>>
>> <mailto: user.name at site
>> <mailto: user.name at site >.
>> <mailto: user.name at site
>> <mailto: user.name at site >.>__ exa m__p__le.com
>> <http://m__p__le.com>
>>
>> < http://examp__le.com > < http://example.com >
>> <mailto: user.name at site .
>> <mailto: user.name at site .>__ exam p__le.com
>> <http://p__le.com> < http://example.com >
>> <mailto: user.name at site. __ examp le.com <http://le.com>
>> <mailto: user.name at site. example.com
>> <http://example.com> >>>>> -interactive
>>
>>
>>
>> You don't add an user this way.
>> You add the
>> domain. You
>> have to
>> pass the
>> domain admin user and the domain
>> admin password.
>>
>>
>> any domain user will do, doesn't have
>> to be an admin.
>> what does the log say?
>>
>>
>> Then you can use the domain
>> within the engine.
>> e.g. search
>> users, add
>> access rights for vms etc.
>> Even login to the engine and
>> assigning rights
>> within
>> the engine
>> you can
>> handle from the engine itself.
>>
>> Regards,
>>
>> And the output on all tries:
>> Enter password:
>>
>> Error: Authentication Failed.
>> Please
>> verify the fully
>> qualified domain
>> name that is used for
>> authentication is
>> correct..
>> Problematic domain
>> is: domain_used_in_command
>> Failure while applying Kerberos
>> configuration. Details:
>> Authentication
>> Failed. Please verify the
>> fully qualified
>> domain
>> name that
>> is used for
>> authentication is correct.
>>
>> Can someone help me with the
>> correct
>> parameters?
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>>
>> ______________________________ _________________________
>>
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
>> Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>>
>>
>> http://lists.ovirt.org/_______ _mailman/listinfo/users
>> < http://lists.ovirt.org/______ mailman/listinfo/users >
>>
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>
>>
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>> < http://lists.ovirt.org/__ mailman/listinfo/users
>> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>
>>
>>
>> --
>> Regards,
>>
>> Vinzenz Feenstra | Senior
>> Software Engineer
>> RedHat Engineering Virtualization
>> R & D
>> Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>>
>> IRC: vfeenstr or evilissimo
>>
>> Better technology. Faster
>> innovation. Powered
>> by community
>> collaboration.
>> See how it works at redhat.com <http://redhat.com>
>> < http://redhat.com >
>> < http://redhat.com > < http://redhat.com >
>> < http://redhat.com >
>>
>>
>>
>>
>>
>> ______________________________ _________________________
>>
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
>> Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>>
>>
>> http://lists.ovirt.org/_______ _mailman/listinfo/users
>> < http://lists.ovirt.org/______ mailman/listinfo/users >
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>> < http://lists.ovirt.org/__ mailman/listinfo/users
>> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>
>>
>>
>>
>> ______________________________ _________________________
>>
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
>> Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>>
>>
>> http://lists.ovirt.org/_______ _mailman/listinfo/users
>> < http://lists.ovirt.org/______ mailman/listinfo/users >
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>
>>
>>
>>
>> < http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>> < http://lists.ovirt.org/__ mailman/listinfo/users
>> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>
>>
>>
>>
>> Hi,
>>
>> This is the command I used (the same error
>> is with
>> -interactive
>> parameter):
>>
>> engine-manage-domains -action=add
>> -domain= example.com <http://example.com> <
>> http://example.com >
>> < http://example.com >
>> < http://example.com >
>> < http://example.com > -provider=ActiveDirectory
>> -user=user.name at a_domain
>>
>> -passwordFile=/tmp/pass
>>
>> [root at localhost ~]# cat /tmp/pass
>> qwerty[root at localhost ~]#
>>
>> This is the log:
>>
>> 2012-11-20 00:30:40,443 INFO
>>
>>
>> [org.ovirt.engine.core.utils._
>> _____kerberos.ManageDomains]
>>
>> Creating
>>
>>
>> kerberos
>> configuration for domain(s): example.com
>> <http://example.com>
>> < http://example.com >
>> < http://example.com > < http://example.com >
>> < http://example.com >
>>
>> 2012-11-20 00:30:40,525 INFO
>>
>>
>> [org.ovirt.engine.core.utils._
>> _____kerberos.ManageDomains]
>>
>>
>> Successfully
>>
>> created kerberos configuration for domain(s):
>> example.com <http://example.com> < http://example.com >
>> < http://example.com >
>> < http://example.com >
>> < http://example.com >
>>
>> 2012-11-20 00:30:40,526 INFO
>>
>>
>> [org.ovirt.engine.core.utils._
>> _____kerberos.ManageDomains]
>>
>> Testing
>>
>>
>> kerberos
>> configuration for domain: example.com <http://example.com
>> >
>> < http://example.com >
>> < http://example.com > < http://example.com >
>> < http://example.com >
>>
>> 2012-11-20 00:30:40,830 ERROR
>>
>>
>> [org.ovirt.engine.core.utils._ _____kerberos.__
>> KerberosConfigCheck]
>>
>>
>> Error:
>>
>> exception message: Cannot locate KDC
>> 2012-11-20 00:30:40,851 ERROR
>>
>>
>> [org.ovirt.engine.core.utils._
>> _____kerberos.ManageDomains]
>>
>>
>> Failure
>>
>> while
>>
>> testing domain example.com <http://example.com>
>> < http://example.com > < http://example.com >
>> < http://example.com >
>> < http://example.com >. Details: Kerberos
>>
>> error. Please check log for further details.
>>
>>
>> Hi, the error indicates you don't have
>> kerberos configured.
>> manage-domains validates by default using
>> GSSAPI/Kerberos (if I
>> understand correctly, this is equivalent to
>> run ldapsearch
>> with -Y
>> gssapi option).
>> I wonder if -x (simple authentication) will
>> work for you as
>> well (as
>> manage-domains contains code for simple
>> authentication as
>> well).
>>
>>
>>
>> This is the ldapsearch command that works
>> (it retrieves
>> users)
>> from the
>> same machine:
>>
>>
>>
>> ldapsearch -H ldap:// example.com <http://example.com>
>> < http://example.com > < http://example.com >
>> < http://example.com >
>> < http://example.com > -b
>>
>> dc=example,dc=com -D user.name at a_domain -w
>> qwerty
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>>
>>
>> ______________________________ _______________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
>> Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
>> http://lists.ovirt.org/______ mailman/listinfo/users
>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>
>> < http://lists.ovirt.org/____ mailman/listinfo/users
>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>> < http://lists.ovirt.org/__ mailman/listinfo/users
>> < http://lists.ovirt.org/ mailman/listinfo/users >>>
>>
>>
>>
>>
>> Hi,
>>
>>
>> I used "-x" for ldapsearch and the result is the
>> same: list
>> retrieved.
>> Is there any equivalent for engine-manage-domains?
>>
>> Cristian
>>
>> Hi Christian, there is no code allowing to add
>> simple-authentication
>> domains to Manage-Domains.
>> In the past we did have the ability to do that, but
>> there are
>> several problematic issues.
>> What ldap server are you working against? Maybe I
>> missed that
>>
>>
>>
>>
>> Hi,
>>
>> The server is a Microfost AD 2003.
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>> this should work, is the AD also the DNS server for the
>> ovirt
>> engine machine?
>>
>>
>>
>> yes
>>
>>
>>
>>
>>
>> Could you take a look at the tcp dump? There are only 2
>> messages
>> relevant to this (let me know if you want the full dump):
>>
>> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard
>> query SRV
>> _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>
>>
>> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard
>> query response
>> SRV 0 100 88 site1.example.com
>> <http://site1.example.com> SRV 0 100 88
>> site2.example.com <http://site2.example.com> SRV 0
>> 100 88 site3.example.com <http://site3.example.com>
>>
>>
>> Also, I tries to run ldapsearch with -Y gssapi:
>> ldap_sasl_interactive_bind_s: Unknown authentication
>> method (-6)
>> additional info: SASL(-4): no mechanism available: No
>> worthy mechs
>> found
>>
>> Best regards,
>> Cristian Falcas
>> The SRV records look fine.
>> If I remember correctly, your DNS should have a
>> reverse-resolve PTR
>> record to your engine machine. Does it exists?
>>
>>
>>
>> I don't think so (10.0.0.xx is engine machine,
>> 10.0.0.yyy is dns):
>>
>> [root at localhost ~]# nslookup 10.0.0.xx
>> Server: 10.0.0.yyy
>> Address: 10.0.0.yyy#53
>>
>> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
>>
>> [root at localhost ~]# host 10.0.0.xx
>> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
>>
>> I will ask them to add a DNS record for the machine.
>>
>> Indeed do that.
>> In the engine we require both reverse-resolve PTR record,
>> Kerberos SRV record and LDAP SRV record.
>> Make sure you have all three in the DNS.
>> The PTR + Kerberos records are used for the kerberos
>> authentication (and constructing the krb5.conf file in the
>> engine-manage-domains utility).
>> The LDAP SRV record is used for the directory queries (it is
>> used in the utility + the ovirt engine, to look for LDAP
>> servers).
>>
>>
>>
>> Yair - sounds like we need a how to troubleshoot AD issues?
>>
>>
>>
>>
>> Hi,
>>
>> So, after all, I was using the wrong domain. In my company we use
>> everywhere (web, email, etc) as the domain "a_domain" instead of the
>> usual company.com <http://company.com>. So it worked with:
>>
>> engine-manage-domains -action=add -domain=company.com
>> <http://company.com> -provider=ActiveDirectory -user=user.name
>> <http://user.name> -passwordFile=/tmp/pass
>>
>>
>> Some steps I did for my investigation:
>>
>> 1. test if the domain has a kerberos service:
>>
>> host -t srv _kerberos._tcp.company.com <http://tcp.company.com>
>>
>>
>> 2. use kinit instead of engine-manage-domains (mush faster)
>> cp /etc/ovirt-engine/krb5.conf /etc/
>>
>> 3. test with:
>> kinit user.name at company.com <mailto:user.name at company.com> -V
>>
>>
>>
>> Just to let others know what errors I had and how I fixed them:
>>
>> 1. Client not found in Kerberos database while getting initial
>> credentials: wrong user name
>>
>> 2. Cannot find KDC for requested realm: the realm you are using in
>> the command line is not define in krb5.conf file.
>>
>> - at the beginning I was using kinit user.name at a_domain -V, but
>> there was no a_domain realm defined.
>> - check the file and try to update it or correct your kinit command
>> in order to use the correct realm
>>
>> [realms]
>> COMPANY.COM <http://COMPANY.COM> = {
>>
>> kdc = site1.company.com.:88
>> kdc = site2.company.com.:88
>> kdc = site3.company.com.:88
>> }
>>
>>
>>
>> 3. KDC reply did not match expectations while getting initial
>> credentials: you may have the same realm in your command line and in
>> the krb5.conf file, but the server thinks this is not correct.
>> - use wireshark to see what realm the server has: protocol KRB5,
>> messages AS-REQ and AS-REP
>>
>> Thank you for all your help.
>>
>> Cristian
>>
>>
>>
>> I forgot. Use this kinit command for tests instead:
>>
>> kinit user.name <http://user.name>
>>
>>
>> Because I was using the realm in the command line I had all of the above
>> problems
>>
>
> do you mind adding these to a wiki for steps to troubleshoot for the next
> one to tackle this?
>
> thanks,
> Itamar
>
>
I'm glad to help. Can someone help me with an account?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121121/c006b21f/attachment-0001.html>
More information about the Users
mailing list